Finding pwned passwords with 1Password
by Jeff Shiner
1Password integrates with Pwned Passwords, a service that allows you to check if your passwords have been leaked on the Internet.
In early 2018, Troy Hunt launched Pwned Passwords, a service that allows you to check if your passwords have been leaked online. His database now has more than 500 million passwords that have been collected from various breaches across multiple sites. Checking your passwords against this list is immensely valuable and helps keep you protected.
Watchtower integrates this feature into 1Password to securely check for compromised passwords and logins.
We know it can be time-consuming to individually check each password to see if it’s been compromised. And while you want to say safe, you’ve got plenty of other things to do with your time. That’s why Watchtower automatically alerts you to any password breaches or other security problems on the websites you have saved in 1Password.
Watchtower is included with every 1Password subscription. It’s updated whenever any security breaches are reported, so you are alerted immediately and can change your passwords right away.
“Greater vault flexibility and a more robust Watchtower are more about managing your passwords and other information. Both features make it easier than ever to organize your sensitive data and evaluate the safety of the passwords you create. It’s a combination that makes auditing the security of your passwords and managing things like shared passwords easier than ever and worth another look if you haven’t tried that aspect of 1Password in a while.”
A Redesigned 1Password 7 for Mac Enhances Watchtower and Adds Flexibility to Vaults, App Login Support, and More, John Voorhees, MacStories.
The beauty of Watchtower is that it’s able to do all this without knowing which websites you have saved in 1Password. 1Password downloads all of the Watchtower information to check your websites on your devices, keeping you safe against security breaches.
Personally, I’ve always been afraid of using a service that requires me to send my password to be checked. Once my password has been sent out into the vast reaches of the internet, it’s known, and I can’t use it anymore. It’s the same reason why
correct horse battery staple was a strong password until this comic came out.
Thankfully, Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.
I’m really happy they managed to find a way to make this possible because it allowed us to integrate this feature with 1Password.
Hopefully, you’re as intrigued about how this works as I am. It’s what got me the most excited when I saw Troy’s announcement!
Before I dive into the explanation, I want to reiterate that Troy’s new service allows us to check your passwords while keeping them safe and secure. They’re never sent to us or his service.
First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.
To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match, then we know this password is known and should be changed.
Troy offers a detailed write-up of how this works in his Pwned Password v2 announcement post. Check out the “Cloudflare, Privacy and k-Anonymity” section if you find this as fascinating as I do.
Troy Hunt is a respected member of the security community. He’s best known for his Have I been pwned? service. Troy spends a lot of his personal time collecting data from every website breach he can find, adding every leaked password to his database.
The Internet is a safer place thanks to Troy Hunt, which is why we are so proud to have partnered with Troy and Have I Been Pwned to protect you against these breaches. As Troy said in his post about the announcement, “Working with 1Password was the obvious choice for a number of reasons, the most obvious being my long-standing history with them. This is a product I was already endorsed in by my own free volition and from the perspective of my own authenticity, that was very important.”
Want to keep your passwords and logins safe and secure? Sign up and get started with 1Password today!